Delegation fails after inactivity

[Marc Castrechini]

We are currently using impersonation with constrained delegation to run a
dual server environment for ASP.NET 2.0 and SQL Server 2005.

Everything is up and running great, however, we have the following issue and
are not sure where to look.

If a user is logged into our Application Server and is inactive for a
certain amount of time (to be determined) the connection to the Application
Server is still authenticated because it will serve additional page requests
(also Anonymous is disabled), however, when those additional requests
attempt to access the database they fail due to Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.

So it appears the ticket some how no longer delegates to the Database
server.

If anyone has some direction or references to help track this down it would
be greatly appreciated
(Troubleshooting Kerberos Delegation doesn't help because everything works
as long as the user does not go idle).

TIA,
- Marc Castrechini

 

[Walter Wang [MSFT]]

Hi Marc,

Does this issue occur when there's no user logged into the App Server?
Also, is your server fully patched?

I'll do some consulting for your issue and get back to you later.

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Marc Castrechini]

Thanks for the feedback.

1) Yes our servers are fully patched.

2) I am not sure I understand your question regarding "no user logged into
the App Server".

I may not have been clear that this application is strictly part of our
Intranet. We are using only Windows Authentication for our IIS
applications. All ASP.NET applications are set for Impersonation="True".
The SQL Server is using strictly Windows Authentication as well.

Also, we have found some additional information that may help:
When the App Server stops delegating to the DB Server ...

1) Repeated attempts in the application using the same browser eventually
starts working thus properly delegating the user to the DB Server

2) If the browser is closed and then another instance in re-opened sometimes
the delegation still does NOT work properly and credentials are not passed.
- Same as 1, eventually it will start delegating properly.

If I can provide a better answer regarding "No user logged into the app
server" question please let me know.

- Marc

 

[Marc Castrechini]

Further more ... Audit logging on the DB server shows these when the error
occurs:

Supporting the theory that the Kerberos authentication at the Application
server is downgrading to NTLM. Why, how or when does Kerberson downgrade to
NTLM?

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x4E586A8)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MW-APP1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x4E586A8)
Logon Type: 3

Also, one potential factor: We access our application via c-name with non
standard port.

Server: MW-APP1
URL: http://OpsCenter:8082/AppName/Default.aspx

TIA for any help whatsoever.

- Marc

 

[Walter Wang [MSFT]]

Hi Marc,

Following blog might be helpful:

#alik levin's : SOA, Kerberos, IIS, and Security Best Practices
http://blogs.microsoft.co.il/blogs/alikl/archive/2006/12/05/SOA_2C00_-Kerber
os_2C00_-IIS_2C00_-and-Security-Best-Practices.aspx


To fully troubleshoot such issue, it might need to monitor/trace the
network packets between the servers. I've searched in our internal support
database, but failed to find similar cases to your issue.

I'm not sure if following KB is relevant for your scenario:

#Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail
http://support.microsoft.com/kb/898060/en-us


I'm afraid you might have to contact Microsoft Product Support and Service
for further help.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

2) I am not sure I understand your question regarding "no user logged
into
the App Server".

My mistake, please ignore that question. That day I was also looking into
following similar issue to yours:

http://msdn.microsoft.com/newsgroups/managed/Default.aspx?dg=microsoft.publi
c.dotnet.framework.aspnet.webservices&mid=41de9944-ef69-4069-932b-2acd2ecadb
78&sloc=en-us&p=1

It seems this post owner also has similiar symptom to yours and he
mentioned that the issue is gone when the user logs out and logs back. I
also just realized he should be referring to the client workstation instead
of the application server.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.